Courier Sqwebmail apache2 config files for http, https, Debian lenny

Posted on February 15, 2009 by Peter Colton

Below are the two apache2 config files I use for Courier Sqwebmail web mail. In the /var/www folder I have given Sqwebmail its own apache2 web root folder. In that folder I have make another folder for the cgi to work from. Then in the folder /var/www/webmail/ I have make a symbolic link to /usr/share/sqwebmail . I have also disabled the apache2 cgi mod and enable apache2 cgid mod and ssl mod. These two apache2 config files resolve to a DNS name webmail.colton.me.uk . The apache2 ssl config file I am using is a edited version of the debian default-ssl file.

If you can add improvements. Your well come to post your comments.

sudo mkdir /var/www/webmail

sudo mkdir /var/www/webmail/courier

cd /var/www/webmail/

sudo ln -s /usr/share/sqwebmail sqwebmail

cd /var/www/

sudo chown -R www-data:www-data webmail

Disable the cgi mod: sudo a2dismod cgi

Enable the cgid mod: sudo a2enmod cgid

Enable the ssh mod: sudo a2enmod ssl

Config file for apache2 Courier Sqwebmail http

Change the file name webmail.exampe.com to suit

sudo touch /etc/apache2/sites-available/webmail.exampe.com

copy and paste to file: /etc/apache2/sites-available/webmail.exampe.com

       UseCanonicalName Off
        ServerName webmail.example.com

        DocumentRoot /var/www/webmail/

                Options FollowSymLinks
                AllowOverride None

        ScriptAlias /courier/ /usr/lib/cgi-bin/

                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all

        RedirectMatch ^/$ /courier/sqwebmail/

        RewriteEngine   On
        RewriteCond     %{SERVER_PORT} ^80$
        RewriteRule     ^(.*)$ https://%{SERVER_NAME}$1 [L,R]
        RewriteLog      "/var/log/apache2/rewrite.log"
        RewriteLogLevel 2

Enable this config file.

Change the file name webmail.exampe.com to suit.

sudo a2ensite webmail.exampe.com

There is a log files needed for this apache2 config file.

sudo touch /var/log/apache2/rewrite.log

Config file for apache2 Courier Sqwebmail https

Change the file name webmail.exampe.com-ssl to suit

sudo touch /etc/apache2/sites-available/webmail.example.com-ssl

copy and paste to file: /etc/apache2/sites-available/webmail.example.com-ssl

       ServerName webmail.example.com

        DocumentRoot /var/www/webmail/

                Options FollowSymLinks
                AllowOverride None

        ScriptAlias /courier/ /usr/lib/cgi-bin/

                AllowOverride None
                Options +ExecCGI -MultiViews +SymLinksIfOwnerMatch
                Order allow,deny
                Allow from all

        # Possible values include: debug, info, notice, warn, error, crit,
        # alert, emerg.
        LogLevel warn

        CustomLog /var/log/apache2/ssl_access.log combined

        #   SSL Engine Switch:
        #   Enable/Disable SSL for this virtual host.
        SSLEngine on

        #   A self-signed (snakeoil) certificate can be created by installing
        #   the ssl-cert package. See
        #   /usr/share/doc/apache2.2-common/README.Debian.gz for more info.
        #   If both key and certificate are stored in the same file, only the
        #   SSLCertificateFile directive is needed.
        SSLCertificateFile    /etc/ssl/certs/ssl-cert-snakeoil.pem
        SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key

        #   SSL Engine Options:
        #   Set various options for the SSL engine.
        #   o FakeBasicAuth:
        #     Translate the client X.509 into a Basic Authorisation.  This means that
        #     the standard Auth/DBMAuth methods can be used for access control.  The
        #     user name is the `one line' version of the client's X.509 certificate.
        #     Note that no password is obtained from the user. Every entry in the user
        #     file needs this password: `xxj31ZMTZzkVA'.
        #   o ExportCertData:
        #     This exports two additional environment variables: SSL_CLIENT_CERT and
        #     SSL_SERVER_CERT. These contain the PEM-encoded certificates of the
        #     server (always existing) and the client (only existing when client
        #     authentication is used). This can be used to import the certificates
        #     into CGI scripts.
        #   o StdEnvVars:
        #     This exports the standard SSL/TLS related `SSL_*' environment variables.
        #     Per default this exportation is switched off for performance reasons,
        #     because the extraction step is an expensive operation and is usually
        #     useless for serving static content. So one usually enables the
        #     exportation for CGI and SSI requests only.
        #   o StrictRequire:
        #     This denies access when "SSLRequireSSL" or "SSLRequire" applied even
        #     under a "Satisfy any" situation, i.e. when it applies access is denied
        #     and no other module can change it.
        #   o OptRenegotiate:
        #     This enables optimized SSL connection renegotiation handling when SSL
        #     directives are used in per-directory context.
        #SSLOptions +FakeBasicAuth +ExportCertData +StrictRequire

                SSLOptions +StdEnvVars

                SSLOptions +StdEnvVars

        #   SSL Protocol Adjustments:
        #   The safe and default but still SSL/TLS standard compliant shutdown
        #   approach is that mod_ssl sends the close notify alert but doesn't wait for
        #   the close notify alert from client. When you need a different shutdown
        #   approach you can use one of the following variables:
        #   o ssl-unclean-shutdown:
        #     This forces an unclean shutdown when the connection is closed, i.e. no
        #     SSL close notify alert is send or allowed to received.  This violates
        #     the SSL/TLS standard but is needed for some brain-dead browsers. Use
        #     this when you receive I/O errors because of the standard approach where
        #     mod_ssl sends the close notify alert.
        #   o ssl-accurate-shutdown:
        #     This forces an accurate shutdown when the connection is closed, i.e. a
        #     SSL close notify alert is send and mod_ssl waits for the close notify
        #     alert of the client. This is 100% SSL/TLS standard compliant, but in
        #     practice often causes hanging connections with brain-dead browsers. Use
        #     this only for browsers where you know that their SSL implementation
        #     works correctly.
        #   Notice: Most problems of broken clients are also related to the HTTP
        #   keep-alive facility, so you usually additionally want to disable
        #   keep-alive for those clients, too. Use variable "nokeepalive" for this.
        #   Similarly, one has to force some clients to use HTTP/1.0 to workaround
        #   their broken HTTP/1.1 implementation. Use variables "downgrade-1.0" and
        #   "force-response-1.0" for this.
        BrowserMatch ".*MSIE.*"
        nokeepalive ssl-unclean-shutdown
        downgrade-1.0 force-response-1.0

        RedirectMatch ^/$ /courier/sqwebmail/

Enable this config file.

Change the file name webmail.exampe.com-ssl to suit.

sudo a2ensite webmail.exampe.com-ssl

There is a log files needed for this apache2 config file.

sudo touch /var/log/apache2/ssl_access.log

Check to see if you have the two ssl thats needed.

ls -l /etc/ssl/certs/ssl-cert-snakeoil.pem

ls -l /etc/ssl/private/ssl-cert-snakeoil.key

sudo invoke-rc.d apache2 reload

This entry was posted in Computing and tagged . Bookmark the permalink.

Comments are closed.